CVE-2013-6858 - OpenCVE

Multiple cross-site scripting (XSS) vulnerabilities in OpenStack Dashboard (Horizon) 2013.2 and earlier allow local users to inject arbitrary web script or HTML via an instance name to (1) "Volumes" or (2) "Network Topology" page.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Canonical	Ubuntu Linux
Openstack	Horizon
Opensuse	Opensuse

Configuration 1 [-]

cpe:2.3:a:openstack:horizon:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*

Configuration 3 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:12.10:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:13.04:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:13.10:::::::*

References

Link	Resource
http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html	Mailing List Third Party Advisory
http://secunia.com/advisories/55770	Third Party Advisory
http://secunia.com/advisories/56117	Third Party Advisory
http://www.securityfocus.com/bid/63787	Third Party Advisory VDB Entry
http://www.ubuntu.com/usn/USN-2062-1	Third Party Advisory
https://bugs.launchpad.net/horizon/+bug/1247675	Issue Tracking Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2013-11-23T17:00:00

Updated: 2016-12-20T16:57:01

Reserved: 2013-11-23T00:00:00

Link: CVE-2013-6858

JSON object: View

NVD Information

Status : Analyzed

Published: 2013-11-23T17:55:03.557

Modified: 2021-03-09T14:50:57.850

Link: CVE-2013-6858

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-11-15T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in OpenStack Dashboard (Horizon) 2013.2 and earlier allow local users to inject arbitrary web script or HTML via an instance name to (1) \"Volumes\" or (2) \"Network Topology\" page."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-12-20T16:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "63787", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/63787"}, {"name": "USN-2062-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2062-1"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.launchpad.net/horizon/+bug/1247675"}, {"name": "55770", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/55770"}, {"name": "openSUSE-SU-2015:0078", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html"}, {"name": "56117", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/56117"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2013-6858", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple cross-site scripting (XSS) vulnerabilities in OpenStack Dashboard (Horizon) 2013.2 and earlier allow local users to inject arbitrary web script or HTML via an instance name to (1) \"Volumes\" or (2) \"Network Topology\" page."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "63787", "refsource": "BID", "url": "http://www.securityfocus.com/bid/63787"}, {"name": "USN-2062-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2062-1"}, {"name": "https://bugs.launchpad.net/horizon/+bug/1247675", "refsource": "CONFIRM", "url": "https://bugs.launchpad.net/horizon/+bug/1247675"}, {"name": "55770", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/55770"}, {"name": "openSUSE-SU-2015:0078", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html"}, {"name": "56117", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/56117"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2013-6858", "datePublished": "2013-11-23T17:00:00", "dateReserved": "2013-11-23T00:00:00", "dateUpdated": "2016-12-20T16:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openstack:horizon:*:*:*:*:*:*:*:*", "matchCriteriaId": "801F21B7-CE52-41D3-9A7C-F4BCA5B114C9", "versionEndIncluding": "2013.2", "versionStartIncluding": "2013.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*", "matchCriteriaId": "A10BC294-9196-425F-9FB0-B1625465B47F", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*", "matchCriteriaId": "E2076871-2E80-4605-A470-A41C1A8EC7EE", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:13.04:*:*:*:*:*:*:*", "matchCriteriaId": "EFAA48D9-BEB4-4E49-AD50-325C262D46D9", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:13.10:*:*:*:*:*:*:*", "matchCriteriaId": "7F61F047-129C-41A6-8A27-FFCBB8563E91", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in OpenStack Dashboard (Horizon) 2013.2 and earlier allow local users to inject arbitrary web script or HTML via an instance name to (1) \"Volumes\" or (2) \"Network Topology\" page."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de XSS en OpenStack Dashboard (Horizon) 2013.2 y anteriores versiones permiten a usuarios locales inyectar script web o HTML arbitrario a trav\u00e9s de un nombre de instancia en (1) \"Volumes\" o (2) \"Network Topology\"."}], "id": "CVE-2013-6858", "lastModified": "2021-03-09T14:50:57.850", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2013-11-23T17:55:03.557", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/55770"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/56117"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/63787"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.ubuntu.com/usn/USN-2062-1"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://bugs.launchpad.net/horizon/+bug/1247675"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}